Image of a lock

Alfresco Community Share (Prototype) Security Hack

Andreas Steffan · Veröffentlicht am

Alfresco Community Share comes with an access control list (ACL) based security model consiting of Site Manager, Collaborator, Contributor and Consumer groups and permissions. This terminology can get you confused. In the permissions diaslog, it may read “Collaborators have Collaborator privileges”. These privileges are actually convenience aggregations of low lovel base permissions (i.e. _ReadProperties, _ReadChildren, etc.) as documented in the wiki. The default site model may address various uses, but some there are situations where it needs tweeting tweaking or “tricky” usage based on custom groups.

While working on a prototype system, I was faced with the following security requirements:

  • On one (project) site,  we want to invite an arbitrary amount of external users from various companies
  • Users of these companies must not see other companies documents or activities
  • The Site Manager is responsible for cross company security

The wiki page Custom Permissions in Share was not very encouraging regarding the technical route outlined and efforts associated. Nevertheless it shows that at its core, the alfresco ACL security model is very fine grained and provides a lot of flexibility.

The challenge was to find the most simple (as in effort) technical solution addressing the requirements. I came up with the following approach:

  • Do not allow people without Site Collaborator Privileges to create folder in the document library.
  • The site manager creates folders for companies. One folder for each company.
  • Extend Hack (Prototype !;) the permissions dialog to assign individual users Collaborator privileges on a specific folder
  • Assign external users Site Contributor privileges
Individual alfresco share user roles
Hacked Alfresco Share permission dialog

The funny thing is that you can assign a username to the group property of the json request:


params.push({group: username,role: "SiteCollaborator"});

This works, because the repository treats the value as an “authority”, and users are authorities just as groups.

For prototyping this is  all fine. Still don’t know how I would implement these requirements “seriously” in a real project. Suggestions are welcome.

Download Alfresco Share 3.4.c permissions hack

References

Andreas Steffan
Pragmatic ? Scientist and DevOps Mind @ Contentreich. Believes in Open Source, the Open Web and Linux. Freelancing in DevOps-, Cloud-, Kubernetes, JVM- and Contentland and speaks Clojure, Kotlin, Groovy, Go, Python, JavaScript, Java, Alfresco and WordPress. Built infrastructure before it was cool. ❤️ Emacs.

One thought on “Alfresco Community Share (Prototype) Security Hack”

  1. Pingback: Individuelle Alfresco Share Site Gruppen | CONTENTREICH

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert